Poll: Is compliance a greater priority than actual security in your organization?

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Poll: Compliance vs. Security

I've noticed a trend recently where compliance is being vilified for taking focus and priority away from Information Security for managers and executives. These decision makers see C level executives with personal criminal liability outlined clearly in the 2002 United States Sarbanes-Oxley Act, and suddenly complying to the regulations becomes very important.

So the question of the poll is, does compliance (to any regulatory or industry standard) take a precedence over _actual_ information security, or does compliance actually drive a broader understanding and support of security in your organization?

"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --SpafAnyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

My organization is only a dozen members strong, making both issues fairly easy to stay on top of. The issue of compliance vs. actual security standards changes greatly depending upon the size of your outfit.

To subsequent posters: If you don't mind volunteering the size of your entity, please do so for comparison sake. Thanks!

I am referring to my client, who I spend approx. 80% of my time working with and for. They have a strong security culture in a small focus, but it is not the rule company wide. Security is more of a forced-via-policy idea, rather than encouraged and supported through training.

However, being a Fortune 500 company with 5000~ employees, they are keen on compliance. The compliance officer (party responsible for tracking compliance reporting, and the official 'auditor hand-holder'), is much more interested in the creation of reports for accountability with IA then in actual security.

"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --SpafAnyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

I work for a fortune 500 with 100,000 + employees, and I can say without reservation that the company guideline is that compliance (or any kind of written policy) is more important than actual security.

So you are saying that as long as the policy says you need a firewall it's ok not to have one?

I understand that mindset - policy works where actual expenditure can still fail or be circumvented so why bother?

I believe the regulations are there to "encourage and educate" rather than "enforce" though flagrant disregard of the regulations is clearly punishable. Yes, the regulations tend to be written in a form that says "appropriate safeguards" which can mean anything to anyone - though it is appropriate to write them that way because of the diversity of risk that has to be addressed.

But let's face it... they are there... with a little "investigation", (can we say "risk assessment" that most regulations refer to in some way), it's pretty easy to determine how easy it is to far exceed requirements, document them and walk away "scott free" after a "non-comliance issue" occurs.... mainly because your solution was "improperly monitored" which, for the most part, isn't addressed in the regulations.

Frankly, if you spend more than 15 minutes looking at the regulations they are usually pretty clear as to how "little" they require. They are aimed at those who blow them off and think "It'll never happen to me"

As we have seen in the last six months, those that don't properly try to address the regulations are more and more frequently having to publicly admit to thier breaches as a public relations act to try to save face. The damage done to them in soft terms far exceeds the damage done in hard terms - Who's going to use the company that just lost the 40 million CC accounts in the next few years? The company is practically dead..... And the risk assessment told them... what?

My organization is small and requires HIPPA complaince.... I have 50-100,000 SSN's and their associated confidential client/medical/psychological data - I forget the "official" term for it right now - but I manage to far exceed the regulations for a total outlay of less than $7000 in hardware..... The rest is free less my time.... which is no more than an alert organization of my size should/would/could spend.

It's really very simple.... Without security there is no privacy. It can't be done - as Catch alludes to. You may feel that you can have all the requirements "down" without security but how do you know and how can you prove it if you have no auditability and assurance?

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Timmy hasn't answered yet, but let me play devil's advocate for a few of these.

Originally posted here by Tiger Shark So you are saying that as long as the policy says you need a firewall it's ok not to have one?

As far as I understand, most will say something like 'a properly configured firewall'. And no, it's not ok to have a policy that isn't being enforced. That's where IA comes in...you have to have the firewall (they will often want to see an active monitor/admin console for the device, "proving" it's in place), and a policy supported by documentation of a routine check of the firewall configuration and ruleset is done.

I understand that mindset - policy works where actual expenditure can still fail or be circumvented so why bother?

Agreed. Understand it too. But you have to choose your battles, I suppose. *sigh*

I believe the regulations are there to "encourage and educate" rather than "enforce" though flagrant disregard of the regulations is clearly punishable. Yes, the regulations tend to be written in a form that says "appropriate safeguards" which can mean anything to anyone - though it is appropriate to write them that way because of the diversity of risk that has to be addressed.

That depends entirely on the company, their corporate culture, their history...several factors. The more paranoid companies can be so overzealous to achieve the holy grail of "compliance" that they might just get some adequate security measures out of their efforts. But you are right, many will (as I say in option #2) only pay lip service and do the bare minimum to achieve something that vaguely resembles compliance.

But let's face it... they are there... with a little "investigation", (can we say "risk assessment" that most regulations refer to in some way), it's pretty easy to determine how easy it is to far exceed requirements, document them and walk away "scott free" after a "non-comliance issue" occurs.... mainly because your solution was "improperly monitored" which, for the most part, isn't addressed in the regulations.

Monitoring depends on which regulations. SOx is pretty specific about a few points...or at least, my client has auditors that are pretty specific about documenting that monitoring activities are occuring. The thuthfulness of those documentation reports is left to the imagination of the reader...

Frankly, if you spend more than 15 minutes looking at the regulations they are usually pretty clear as to how "little" they require. They are aimed at those who blow them off and think "It'll never happen to me"

I disagree. To see how "little" they require, you have to hav an extremely confident and liberal point of view...or not. It all depends on perspective. That's the great thing about these standards...we have so MANY of them!!! :P Seriously, it will depend a lot on which auditor/assessor you use (internal or external), what you are trying to comply with (S-Oc, GLBA, Visa-Mastercard CISP/SDP/PCI, etc. ad naseum), and how much your managemet is willing to invest (not just monetarily...man hours and training go a long way too.)

My organization is small and requires HIPPA complaince.... I have 50-100,000 SSN's and their associated confidential client/medical/psychological data - I forget the "official" term for it right now - but I manage to far exceed the regulations for a total outlay of less than $7000 in hardware..... The rest is free less my time.... which is no more than an alert organization of my size should/would/could spend.

Sounds very appropriate. This is not a publicly traded organization, I assume? Makes it a little easier on you...HIPAA is by no means a cake walk, but it's easier not having to also worry about SOx and other reg's here in the U.S.

It's really very simple.... Without security there is no privacy. It can't be done - as Catch alludes to. You may feel that you can have all the requirements "down" without security but how do you know and how can you prove it if you have no auditability and assurance?

Well...I'm not sure I can completely agree with you and catch on that. I mean, he has the right idea with his reply, I won't contest that. However, I don't think it is possible to achieve compliance without some degree of security (even if it is not comprehensive). That is the point, at least in this forum it is. Compliance to regulations that require certain security activities, practices, and procedures; most of those activities and procedures revolve around accountability and auditing of proper security methodologies. If you pass compliance, you must be to some degree complying with the requirements. It may not be much, but its better than the guy you mentioned with the "won't happen to me" attitude.

"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --SpafAnyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

If you pass compliance, you must be to some degree complying with the requirements.

I agree passing compliance means that you are at least providing the security that is required. It's funny how you can have a little non-compliance to get the funding to increase or upgrade your security.

Some vague terms, and a timmy being off his rocker seems to have taken this thread to a very ambigious place.

This is where much of the ambiguity comes from:
Compliance = Meeting the requirements as defined by a relevant standard, guideline, procedure, or policy.
Security = Totally vague. Typically "security" is related to the reduction of risk. If risk has been reduced to an acceptable level, something may be said to be "secure" (enough).

Now, by these terms clearly security is more important. How?

An organization is non-compliant to their internal policy, however a resulting loss is considered acceptable. This organization put security first and was lax on their compliance, had they been more strict on their compliance, it is safe to assume that the loss would not have increased, however their expenses would have. Potentially resulting in a situation where safe guards end up costing more than the are justified by the risk.

It isn't always this simple, for some organizations an instance of non-compliance may result in a total loss (no longer able to legally operate/serious lawsuits.)

In these instances although the logic of security being more important still applies, (because the lack of complaince boosts the risk) however complaince gets more direct attention so it could be considered to receive top priority even though it is done for security.

Timmy: You said how you belong to a large corporation. Could that possibly affect the policies on how your company run's it's security measures/practices?

Compliance = Meeting the requirements as defined by a relevant standard, guideline, procedure, or policy.
Security = Totally vague. Typically "security" is related to the reduction of risk. If risk has been reduced to an acceptable level, something may be said to be "secure" (enough).

Co-sign. Security can mean anything and typically does.. it varies. Compliance means that the requirements to the standard thats set is being met (or like catch said, the procedure/policy). Now aslong as those standards, procedures, etc is being met and covers the important aspects of the policy on how things are run, then there shouldn't be much to worry about.